Virus toolkits are s'kiddie menace

Industry split on best defence

Much has been made of the developer's decision to pull the toolkit behind the Anna Kornikova virus - but anti-virus experts have warned that many such toolkits are readily available and just as easy to use by would-be vandals.

Last week the creator of K]Alamar's Vbs Worms Creator, used to create the Kornikova virus,pulled the toolkit from virus-creation Web sites, reportedly after pressure from friends appalled at the harm inflicted by Anna.

But there are many more toolkits capable of generating malicious code.

Anti-virus firms reckon that most viruses are developed using widely available toolkits. But there is widespread disagreement about a; the number of toolkits available to the public, and b; the best approach to deal with the potential threat.

According to Jack Clark, European product manager at Network Associates, there are perhaps 100 virus creation toolkits, though some are not particularly popular and so fail to grab the attention of anti-virus vendors.

Virus creation toolkits first came to prominence with the emergence of macro-viruses; and now toolkits to produce worms, boot sector and file viruses are all within easy reach, Clark says.

"The Anna Kornikova virus was the first time a virus created from a toolkit has spread so rapidly but there will be more," he predicts. While awareness of security issues has been raised by the publicity surrounding the Anna bug, 'script kiddies' may be encouraged to experiment with virus writing, he says.

Neil Barrett, technical director at Information Risk Management, confirms that no particular skill is needed to use virus-creation toolkits.

"It's trivial to use these toolkits. If you can use a point and click Windows-style interface and drive a web browser then it's simplicity itself to produce some surprisingly sophisticated viruses," he says.

IRM uses virus toolkits to create Trojans which are then used to check the security of his clients' networks.

The toolkits may have some legitimate uses, but in the vast majority of cases a used to create malicious code, and the antivirus industry is split on the right approach to take in defending against the problem.

Network Associates' Clark says the right approach is to include generic detection within anti-virus software, so that any virus produced with a particular toolkit will be automatically detected. Lack of generic detection means users of products from, for eample, rival Sophos, have to update their protection each time a new variant of a virus comes out.

According to Graham Cluley, senior technology consultant for Sophos, the inclusion of generic detection in antivirus software can trigger false alarms; for this reason Sophos preferrs to temper its use of generic detection, or heuristics, in its products.

The more important lesson to learn from virus outbreaks such as the Anna Kornikova virus and the Love Bug is that firms should consider blocking visual basic scripting and files with double extensions, both tricks used in the Anna bug, Cluley advises.

So toolkits are a problem; so why then can't security firms exert pressure on ISPs to stop hosting them, in the same way they pull sites containing offensive porn?

Or maybe security firms are secretly happy they allow virus creation to flourish - after all these keep anti-virus firms in the spotlight and helps them sell their software to frightened punters.

NAI's Clark denies this, saying it lacks the clout to exert pressure on ISPs to pull virus toolkits; besides, toolkits could be easily spread in newsgroups.

"We're not the Mafia and we don't have the ability to get ISPs to pull virus creation kits from Web sites," Clark says. "Its not as if we can tell them if they don't act they'll wake up with the head of a Trojan horse in their bed." ®